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Amendments to the Specification: 

Applicant has enclosed a Substitute Specification. The specification has been amended 
to comply with PTO format requirements by including section headings and paragraph numbers 
as well as the priority claim. Enclosed are both a marked-up copy of the specification and a 
clean copy of the Substitute Specification. 

Please insert the following as the new first paragraph in the application. 

CROSS-REFERENCE TO RELATED APPLICATION 

This is a 371 National Phase application of International Application No. 
PCT/GB2003/004589 filed on 22 October 2003 which claims priority to application Serial 
No. GB 0308264.1 filed on 10 April 2003. 
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1 . A method for recovering a data repository from a failure affecting a primary copy of the 
data repository, including the steps of: 

maintaining a secondary copy of data sufficient to recover the primary copy of the data 
repository and data items held thereon; 

in response to a failure affecting the primary copy of the data repository, recreating a 
primary copy of the data repository from the secondary copy; [[and]] 

using a restore process to restore data items to the primary copy from the secondary copy 
within a recovery unit of work, wherein data items restored to the primary copy of the data 
repository within the recovery unit of work are made inaccessible to processes other than the 
restore process until commit of the recovery unit of work; 

prior to commit of the recovery unit of work, configuring the primary copy of the data 
repository to enable addition of data items to the data repository independent of said restore step 
and to enable processes other than the restore process to retrieve said independently added data 
items; and 

in response to successful completion of the restore step, committing the recovery unit of 
work including releasing said inaccessibility of the restored data. 

2. [[A]] The method according to claim 1 , wherein maintaining the secondary data copy 
comprises storing a backup copy of the data repository and storing log records describing 
updates to the primary copy performed since the backup copy was stored; wherein recreating the 
primary copy of the data repository includes the step of copying data repository definitions from 
the backup copy and applying the definitions to recreate the primary copy; and wherein restoring 
data items to the primary copy comprises copying data items from the backup copy and 
replaying the log records to identify and reapply updates to the primary copy. 



-3- 



ATTORNEY DOCKET NO. 
GB920020064US1 



PATENT 



3. [[A]] The method according to claim 1, wherein maintaining the secondary data copy 
includes storing log records that describe updates to the primary copy, and wherein the step of 
restoring the primary copy of the repository includes the steps of: 

replaying the log records of operations performed on data items within the primary copy 
of the data repository[[,]]; 

caching log records relating to operations performed under syncpoint control within an 
original unit of work[[,]]; 

determining from the cached log records the state of the original units of work at the time 
of the failure[[,]]; and 

determining which of said syncpoint-controlled operations to perform within the recovery 
unit of work based on the determined state of the original units of work. 

4. [[A]] The method according to claim 3, including performing operations within the 
recovery unit of work in accordance with the following procedure: 

if the original unit of work was committed before the failure, performing the relevant 
operations of the committed unit of work; 

if the original unit of work was in-doubt when the failure occurred, performing the 
relevant operations of the in-doubt unit of work but marking the operations in-doubt; and 

if the original unit of work is neither committed nor in-doubt, discarding the cached 
operations. 

5. [[A]] The method according to claim 3, including discarding from the recovery unit of 
work any pairs of addition and deletion operations that comprise an addition of a data item to the 
primary copy of the data repository and a deletion of the same data item from the primary copy 
of the data repository, on condition that said addition and deletion operations were performed 
and committed before the failure. 
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6. [[A]] The method according to Claim 5 any one of the preceding claims , wherein the data 
repository is a message repository and the step of restoring data to the primary copy of the data 
repository comprises performing message add, update and delete operations on the message 
repository. 

7. [[A]] The method according to claim 6, for performance within a messaging 
communication system, wherein maintaining the secondary data copy includes storing log 
records to describe updates to the primary copy, and wherein the step of restoring data to the 
primary copy of the repository includes the steps of caching log records relating to message add, 
update and delete operations performed under syncpoint control within an original unit of work, 
determining from the log records the state of the original unit of work at the time of the failure, 
and determining the operations to perform within the recovery unit of work based on the 
determined state of the original unit of work as follows: 

if the original unit of work is committed, performing the relevant message add, update 
and delete operations; and 

if the original unit of work is in-doubt, performing the relevant message add, update and 
delete operations but marking the operations in-doubt; and 

if the original unit of work is neither committed nor in-doubt, discarding the cached 
operations. 

8. [[A]] The method according to Claim 1 any one of the preceding claims , wherein data 
restored to the primary copy of the repository within the recovery unit of work is made 
inaccessible by setting a flag for each data item restored to the data repository, the flag indicating 
that the data item is not accessible. 

9. [[A]] The method according to claim 8, wherein the flag indicates a transactional state of 
the data item and wherein a process for retrieving data items from the repository is adapted to 
identify one or more predefined transactional states as inaccessible. 
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10. [[A]] The method according to claim 8 or claim 9, wherein the flag comprises a byte 
value of a distinctive primary key allocated to the data item when the data item is restored to the 
data repository, the byte value being selected from a range of values indicative of the 
transactional state of the data item. 

1 1 . [[A]] The method according to any one of claims 8 to Claim 10, wherein the step of 
setting a flag comprises: 

setting a first flag for any data item for which the latest operation performed on the data 
item prior to the failure was a committed add operation which is to be restored to the data 
repository within the recovery unit of work; and 

setting a second flag for any data item for which the latest operation performed on the 
data item prior to the failure was an in-doubt add or delete operation which is to be restored to 
the data repository within the recovery unit of work. 

12. [[A]] The method according to claim 1 1 , wherein the first flag comprises a byte value of 
a data item key selected from a first range of byte values representing a first transactional state 
and the second flag comprises a byte value of a data item key selected from a second range of 
byte values representing a second transactional state. 

13. A data communication system including: 

data storage for storing a primary copy of a data repository; 

secondary data storage for storing a secondary copy of data representing the data 
repository which secondary data is sufficient to recover the primary copy of the data repository 
and data held thereon; 

a recovery component for controlling the operation of the data communication system to 
recover from a failure affecting the primary copy of the data repository, wherein the recovery 
component is operable to control the data communication system to perform the steps of: 
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recreating a primary copy of the data repository from the secondary copy; and 

using a restore process to restore data items to the primary copy from the secondary copy 
within a recovery unit of work, wherein data items restored to the primary copy of the data 
repository within the recovery unit of work are made inaccessible to processes other than the 
restore process until commit of the recovery unit of work; 

prior to commit of the recovery unit of work, configuring the primary copy of the data 
repository to enable addition of data items to the data repository independent of said restore step 
and to enable processes other than the restore process to retrieve said independently added data 
items; and 

in response to successful completion of the restore step, committing the recovery unit of 
work including releasing said inaccessibility of the restored data. 

14. [[A]] The data communication system according to Claim 13, comprising a data 
communication system for transferring messages between a sender and a receiver, wherein 
messages are held in the data repository following a message send operation by the sender and 
the messages are subsequently retrieved from the data repository for delivery to the receiver, and 
wherein a backup copy of the data repository is created and log records are written to record 
message send and message retrieval events since creation of the backup copy, wherein the 
recovery component is adapted to control the data communication system to perform the 
following steps: 

in response to a failure affecting the data repository, restoring messages to the data 
repository by reference to the backup copy of the data repository which backup copy was created 
prior to the failure; 

prior to completion of the recovery processing, configuring the data repository to enable 
new messages to be added to the data repository and retrieved therefrom without awaiting 
completion of the recovery processing; and 
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reapplying updates to the data repository corresponding to message send and message 
retrieval operations performed prior to the failure, by reference to log records created prior to the 
failure; 

wherein the steps of restoring messages to the data repository and reapplying updates to 
the data repository by reference to the backup copy and log records are performed within a 
recovery unit of work and the restored messages and reapplied updates are made inaccessible 
until all data repository updates corresponding to send and retrieve operations performed prior to 
the failure have been reapplied to the data repository. 

15. A computer program product comprising program code recorded on a recording medium 
for controlling the operation of a data processing apparatus on which the program code executes 
to perform a method for recovering a data repository from a failure affecting a primary copy of 
the data repository, for use with a data processing apparatus having a secondary data storage and 
having a component for maintaining a secondary copy of data in the secondary data storage 
which secondary copy is sufficient to recover the primary copy of the data repository and data 
items held thereon, the method including the steps of: 

in response to a failure affecting the primary copy of the data repository, recreating a 
primary copy of the data repository from the secondary copy; [[and]] 

using a restore process to restore data items to the primary copy from the secondary copy 
within a recovery unit of work, wherein data items restored to the primary copy of the data 
repository within the recovery unit of work are made inaccessible to processes other than the 
restore process until commit of the recovery unit of work; 

prior to commit of the recovery unit of work, configuring the primary copy of the data 
repository to enable addition of data items to the data repository independent of said restore step 
and to enable processes other than the restore process to retrieve said independently added data 
items; and 
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in response to successful completion of the restore step, committing the recovery unit of 
work including releasing said inaccessibility of the restored data. 

16 A computer program for controlling the operation of a data processing apparatus on 
which the program executes to perform a method for recovering a data repository from a failure 
affecting a primary copy of the data repository, wherein the data processing apparatus has a 
secondary data storage area and wherein the computer program includes a component for 
maintaining a secondary copy of data in the secondary data storage area which secondary copy is 
sufficient to recover the primary copy of the data repository and data items held thereon, the 
method including the steps of: 

in response to a failure affecting the primary copy of the data repository, recreating a 
primary copy of the data repository from the secondary copy; and 

using a restore process to restore data items to the primary copy from the secondary copy 
within a recovery unit of work, wherein data items restored to the primary copy of the data 
repository within the recovery unit of work are made inaccessible to processes other than the 
restore process until commit of the recovery unit of work; 

prior to commit of the recovery unit of work, configuring the primary copy of the data 
repository to enable addition of data items to the data repository independent of said restore step 
and to enable processes other than the restore process to access said independently added data 
items. 
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